Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Published byOpal McCormick Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University"— Presentation transcript:

1 1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University {shimo,goto}@goto.info.waseda.ac.jp

2 Black Hole sprott.physics.wisc.edu/pickover/embed.jpg

3 Dark IP An IP address which is not assigned nor used It is actually allocated to a machine which does not respond to any incoming packets. Dark IP No response Incoming

4 4 Dark IP Sensor Box (Dark IP) Firewall Accept all incomming packets Block all outgoing packets PC Anomaly packets No response Attacker logging

5 5 Example: Observation System with Physical Sensors Sensor Web, Image, Sound Statistics Data Database & Analysis Server log data Alert Information Distributed Sensors The Internet Firewall

6 6 Packets captured by Dark IP Port Scanning or Host Scanning Backscatter packets of DDoS (Distributed DoS) Various configuration mistakes

7 7 Backscatter of DDoS Attackers TARGET IP address : X.X.X.X DDoS Packets destination: TARGET Source IP Address: Spoofed IP Address Back Scatter Packets destination: Spoofed IP Address Source: TARGET Internet other hosts/servers

8 8 Virtual Sensors Normal Servers No service offered Unused IP space Normal Hosts Mutual Communications One-way Access Virtual Sensors Attackers Netflow packets

9 9 Pros and Cons Pros  No need for physical sensors  Analyze thousands of Virtual Sensors simultaneously  Covers a wide variety of traffic on a target Router Cons  Target router should have Netflow function  Accuracy degraded due to Netflow sampling  Some errors in locating Virtual Dark IP

10 10 Netflow v5 Start Time2006/3/10 12:31:15SrcIP X.X.X. XDstIPY.Y.Y.Y End Time2006/3/10 12:31:18SrcMask/24DstMask/24 Protocol6SrcPort23221DstPort20 TOS80SrcAS1000DstAS2000 Flags10SrcIFFa 1/0DstIFFa 0/0 Packets1200 KBytes6400 IP X.X.X.X /24 port 23221 IP Y.Y.Y.Y /24 port 20 Fa 1/0Fa 0/0 AS 1000AS 2000 Netflow v5 record export Host AHost B

11 11 Flow Capture and Analysis Process Flow-tools Virtual Sensor Detection Algorithm Flow Attributes virtual sensors Netflow Database virtual sensors candidates Anomaly Packets Collector Results Output Netflow Router

12 12 Locating Virtual Sensors—Algorithm Virtual Sensor Candidates Virtual Sensors Senders List (cache) Not seen or Not communicating

13 13 Parameters – Life Time

14 14 Parameters – Limit timer

15 15 Experiment — Configuration An malicious host Intermediate Router (Target of flow-observation) Wide area network A worm infected host Anomaly packets Scanning packets Autonomous System APAN-JP

16 16 Comparison – Port 135/tcp

17 17 Comparison – Port 135/tcp

18 18 Comparison – Port 445/tcp

19 19 Comparison – Port 1026/udp

20 20 Comparison – Port 22/tcp

21 21 Comparison – Port 80/tcp

22 22 Conclusion Virtual Dark IP New method for flow-based analysis  Not need for physical sensors Verified certain similarity between Virtual Sensors and Physical Sensors  Real comparison is planned Sensors at the same place and the same time

23 23 Thank you!

24 24 Extra Slides

Download ppt "1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.

Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Similar presentations

Ads by Google